Method and system for capturing and automating execution of administrative processes in a machine-readable format

ABSTRACT

The present invention provides a method, a system and a computer program product for capturing administrative processes in a machine-readable format, and for automating the execution of the captured administrative processes. An administrative process comprises administrative tasks, which, in turn, comprise administrative commands that need to be performed, to execute the administrative process. All the administrative commands are captured in a machine-readable format using a generic command framework, to form profiles. The execution of the captured administrative processes is automated by performing the following steps: selecting profiles that need to processed for the execution of a selected administrative process; processing the selected profiles; updating the processed profiles; processing the updated profiles again, if required; and selecting and processing additional profiles which need to be processed to execute the selected administrative process.

BACKGROUND

The present invention relates to the automation of administrativeprocesses in a local or networked environment. More specifically, thepresent invention relates to a method and system for capturingadministrative processes in a machine-readable format to automate theexecution of administrative processes in a local or networkedenvironment.

During the last few years, the complexity of computer networks and theassociated administrative processes involved in the management ofcomputer networks has increased significantly. Administrative processescomprise one or more administrative tasks that need to be performed. Theincreased complexity of the administrative processes has led to anassociated increase in the demand for resources, required for themanagement of the administrative processes.

The resources required to manage the administrative processes ofcomputer networks mainly comprise manpower and material resources.Manpower resources comprise the administrative staff, who are requiredto define administrative processes and execute them, as and whenrequired. Material resources comprise hardware and software components,involved in the execution of administrative processes.

The increased demand for manpower resources and capital resources hasresulted in a significant increase in the costs associated with themanagement of administrative processes. Although both these costs haveincreased, the increase in costs associated with manpower resources havebeen significantly higher compared to that associated with materialresources. There are two main reasons for this.

The first reason is the increased complexity of the administrativeprocesses. Due to various factors such as increased threats to systemsecurity, increased network size and other problems, the number andcomplexity of the administrative processes have increased significantly.This has resulted in an enhanced requirement for administrative staff,who are required to create and execute the administrative processes.

The second reason is that the administrative processes are generally notcaptured in a re-usable format by the administrative staff. Asignificant amount of knowledge regarding the administrative processesis generally available only to the members of the administrative staff,who create or use the administrative processes. This leads to problemssuch as non-availability of knowledge about the administrative processesto other staff members for re-use. Further, it may also be possible tomodify administrative processes to achieve different objectives.However, if the administrative processes are not available in a properre-usable format, it may not be possible to extend the use of theseadministrative processes to achieve different objectives.

A solution for this is to capture all administrative processes in are-usable format. Further, the selection and execution of the capturedadministrative processes can also be automated to a considerable extent.This can lead to a significant reduction in the costs associated withthe management of administrative processes. Several attempts have beenmade to create methods and systems, which can be used to capture theadministrative processes.

WIPO patent publication WO0235315A2, titled “Remote Network ManagementSoftware”, describes one such system and method for managing networksremotely. This is achieved by installing distributed software agents inthe remote components being managed. The publication discloses anextensible framework that comprises a software component framework toupdate and manage remote network services. This framework is implementedvia Extensible Mark-up Language (XML), or any other Standard GeneralizedMark-up Language (SGML).

U.S. Pat. No. 6,1156,46, titled “Dynamic And Generic Process AutomationSystem”, describes a system that provides workflow management servicesin a heterogeneous distributed computing environment. This inventiondecouples process definitions, run-time process management and processexecution agents to create an object-oriented process automation engine.

U.S. patent application US20010018710, titled “System and Method forImproved Automation of a Computer Network”, describes a system andmethod for controlling the automation process in a computer network.This is achieved by the introduction of an abstract resource model,which comprises an automation decision-making component and anautomation-execution component.

There are certain limitations associated with the use of theabove-mentioned methods and systems. These methods and systems do notachieve the automation of administrative processes in a computer systemby capturing the administrative commands in a machine-readable format.Hence, they do not facilitate the usage of the captured commands formultiple uses.

Further, the above-mentioned methods and systems use differentframeworks to capture different administrative commands. The use ofvarious frameworks to capture different administrative commandssignificantly increases the complexity involved in the use of thesemethods and systems.

Hence, there exists a need for a method and system that can be used tocapture the administrative processes in a re-usable format, by using ageneric framework to capture the administrative commands. Further, themethod and system should also be capable of automating the execution ofthe captured administrative processes.

SUMMARY

In accordance with one aspect, the present invention provides a methodfor capturing administrative processes in a machine-readable format. Theadministrative processes comprise one or more administrative tasks thathave to be performed to execute the processes. Each administrative taskhas an objective and is defined by one or more administrative commandsthat need to be executed by system elements to achieve the objective ofthe administrative task. An administrative command is amachine-understandable instruction, which causes a processing machine toperform an operation, as specified by the command. Examples ofadministrative commands comprise shell commands (e.g., <mkdir>), as wellas other commands such as system commands. A system command is anadministrator's instruction (not a part of a program) that calls forsome action by the processing machine's executive program (a programthat controls the execution of other programs).

A generic command framework is created to capture the structures of alltypes of administrative commands used in the administrative process. Theadministrative commands are captured by writing them in amachine-readable format, in accordance with the generic commandframework. Captured administrative commands that define anadministrative task are written in a machine-readable format in adocument, to generate a profile. Network maps, which comprise thedetails of one or more servers in a networked environment, are alsogenerated. Administrative lists are generated by combining profiles thatdefine the administrative tasks, which constitute an administrativeprocess. In this manner, each administrative list captures anadministrative process in a machine-readable format.

In accordance with another aspect, the present invention provides amethod for capturing administrative processes in a machine-readableformat, and further automating the execution of the capturedadministrative processes. A first set of administrative lists isselected based on the administrative process to be executed. Theprofiles contained in the selected administrative list are thenprocessed to perform the desired administrative tasks that constitutethe administrative process.

The processing of a profile comprises the steps involved in parsing theprofile to generate events; executing the generated events by usingadministered components; collecting messages generated by theadministered components in response to the executed events; updating theselected profiles, based on the collected messages; processing theupdated profiles again, if required; and selecting new profiles forprocessing, based on the results of execution of the previouslyprocessed profiles. The selection and processing of profiles in thismanner leads to the execution of the administrative process.

In accordance with another aspect, the present invention provides asystem for capturing administrative processes in a machine-readableformat, and further automating the execution of the capturedadministrative processes. The system comprises a profile generator togenerate profiles; a network map generator to generate network maps; anadministrative list generator to generate administrative lists fromprofiles and network maps; a front end; and a back end. The front endenables at least one function from among the various functions involvedin the selection of profiles contained in administrative lists, readingthe selected profiles, and transforming them. The back-end comprises anevent-driven machine to process the selected profiles, which have beenwritten in a structured mark-up language; and one or more controllers toconnect the front-end to the event-drive machine to process profiles.

BRIEF DESCRIPTION OF THE DRAWINGS

The preferred embodiments of the invention will hereinafter be describedin conjunction with the appended drawings provided to illustrate and notto limit the invention, wherein like designations denote like elements,and in which:

FIG. 1 illustrates a method for capturing administrative processes in amachine-readable format, in accordance with one embodiment of thepresent invention;

FIG. 2 illustrates a method for capturing administrative processes andautomating the execution of the captured administrative processes, inaccordance with one embodiment of the present invention; and

FIG. 3 illustrates the environment in which the system for capturing theadministrative processes and automating the execution of the capturedadministrative processes of the present invention works, in accordancewith one embodiment of the present invention.

DESCRIPTION OF PREFERRED EMBODIMENTS

The present invention presents a method and system for capturingadministrative processes in a machine-readable format. The presentinvention also presents a method and a system for capturing theadministrative processes in a machine-readable format, and furtherautomating the execution of the captured administrative processes.

An administrative process comprises one or more administrative tasks,which need to be performed in a pre-defined order, to execute theadministrative process.

The administrative tasks comprise one or more administrative commands.These administrative commands when executed in a pre-defined order, leadto the accomplishment of the administrative task. Each administrativecommand is a machine-understandable instruction that causes a processingmachine to perform an operation. The processing machine can be ageneral-purpose computing device, a programmed microprocessor, amicro-controller, an integrated circuit element or other devices orarrangements of devices, which are capable of executing theadministrative commands that comprise the administrative task. Further,combinations of one or more processing machines can also be involved inexecuting administrative commands.

An administrative process can be captured in a machine-readable formatby capturing the constituent administrative tasks. In turn, theadministrative tasks can be captured in the machine-readable format bycapturing the constituent administrative commands in themachine-readable format.

Administrative commands may be commands that are manually entered by anadministrator, or the commands that are automatically generated by asystem. Further, the manually-entered or system-generated administrativecommands can be of two types—shell commands and system commands. A shellcommand is a command entered in a shell to accomplish an administrativetask. A shell is a command interpreter that provides an interactive userinterface with an operating system, and is the layer of programming thatunderstands and executes the commands a user enters. A system command isan administrator's instruction (not part of a program) that calls foraction by the processing machine's executive program (a program thatcontrols the execution of other programs).

For example, editing a configuration file can be an administrative task.All system-generated and administrator-generated administrative commandsthat are required to be processed, in order to edit the configurationfile, will be captured in a machine-readable format.

A generic command framework can be used to capture the administrativecommands in a machine-readable format using a structured mark uplanguage. The generic command framework defines a set of rules, based onwhich the different structural elements of an administrative command areexpressed in a machine-readable format. The structural elements of anadministrative command comprise command name, shell-related information,command parameters and command flags. All these structural elements canbe captured in accordance with the generic command framework, asdescribed in the present invention. Any structured mark up language canbe used to design and implement such a generic command framework forcapturing the administrative commands.

Further, multiple command frameworks can be used for capturing differenttypes of administrative commands. However, the use of multiple commandframeworks adds to the complexity involved in the process of capturingthe administrative commands in a machine-readable format. Therefore, inone embodiment of the present invention, only one generic commandframework is used for capturing the administrative commands in amachine-readable format. The generic command framework specifies thefollowing rules (fields) for capturing the different elements of anadministrative command

-   -   <command name=“abc”> captures the name of the typed command and        changes accordingly with different commands.    -   <shell> captures elements that express shell ideas such as path        information.

<param> captures the parameters a command needs. A parameter can bespecified by using a name=“abc” format. For example, in the profilegiven above, <amin:param name=“target”> specifies the location where anew directory should be created.

-   -   <flag> captures the flags of an administrative command. Flags        represent the additional information that is required to be        given with a command. For example, the mode (which is an octal        value, like 0755) of an administrative command like “mkdir”        needs to be specified by a user. In accordance with the generic        command framework, this information can be captured as <flag        name=“mode”>0755</flag>.

Although a single generic command framework has been used for capturingthe administrative commands in this embodiment, it will be apparent to aperson skilled in the art that multiple generic command frameworks canalso be used to capture different types of administrative commands in amachine-readable format.

FIG. 1 illustrates a method for capturing administrative processes in amachine-readable format, in accordance with one embodiment of thepresent invention.

At step 101, a generic command framework is created to captureadministrative commands in a machine-readable format. The administrativecommands when expressed in a machine-readable format, in accordance withthe generic command framework, are called captured administrativecommands.

In one embodiment of the present invention, Extensible Mark up Language(XML) is used to design and implement the machine-readable format. Thismeans that all administrative commands are expressed in amachine-readable format using XML.

For example, when an administrative command such as

-   -   cd/tmp mkdir-m 0754 test_dir test_dir2

is typed in a linux shell, it is captured in a machine-readable formatusing XML as follows: <amin:command name=“mkdir”>     <amin:paramname=“target”>test_dir test_dir2</amin:param>     <amin:flagname=“mode”>0754</amin:flag>     <amin:shellname=“dir”>/tmp</amin:shell> </amin:command>

In this manner, by capturing administrative commands in a genericcommand framework, the present invention allows the separation ofchoices (administrative commands, data, decisions) from processes (theshell, user interface, back-end processing). This separation enablescapturing administrative processes in a machine-readable format. Thiscan then be used to automate execution of the captured administrativeprocesses.

In one embodiment of the present invention, namespaces are incorporatedinto profiles to add additional metadata to the profiles. An XMLnamespace is a collection of names, identified by a URL reference, whichare used in XML documents as element types and names. Namespaces arecreated and used to prevent element names from clashing in two or moreXML syntax definitions. Hence, administrators can add additionalmetadata to the profiles using their own namespaces without affectingthe already existing namespaces.

At step 103, profiles are generated by combining all the capturedadministrative commands that define an administrative task. Hence, aprofile is a machine-readable version of an administrative task, andcomprises captured administrative commands, which when executed lead tothe accomplishment of the objective of the administrative task.

At step 105, one or more network maps are generated. Each network mapcomprises details of network servers on which one or more administrativecommands, which constitute an administrative task, need to be performed.A network map can be a security network map, a webserver network map, adatabase network map, or an entire network map containing details of allthe servers employed in the network.

At step 107, administrative lists are generated for each administrativeprocess that has to be executed. Each administrative list corresponds toan administrative process, and comprises one or more profiles, whichdefine the administrative tasks that constitute the administrativeprocess. A pre-defined order according to which administrative tasksneed to be executed is also provided in the administrative list. Hence,an administrative list represents an administrative process in astructured machine-readable format. An administrative list can alsocomprise one or more network maps and associations between the networkmaps(s) and the profiles contained in the administrative list. Theassociation between a network map and a profile defines the server(s) onwhich each administrative command in the profile has to be executed.

In one embodiment of the present invention, the profiles, network mapsand administrative lists are captured in a machine-readable format usingXML.

FIG. 2 describes a method for capturing the administrative processes andautomating the execution of the captured administrative processes, inaccordance with one embodiment of the present invention.

At step 201, administrative processes are captured in a machine-readableformat. The method of capturing the administrative processes has beenexplained in detail earlier, with reference to FIG. 1.

At step 203, the first set of administrative lists is selected,depending on the administrative process to be performed. The selectionof the first set of administrative lists can be performed manually by anadministrator or automatically. Automatic selection is based on a set ofpre-defined administrative list selection rules. These rules define themanner in which administrative lists need to be selected based on themessages received from the administered network. Hence, anadministrative list can be selected for processing by an administrator,or it can be selected automatically by the processing machine, using ascript containing a pre-defined set of rules specified by theadministrator.

At step 205, the first profile contained in the selected administrativelist is selected.

At step 207, the selected profile is read by a processing machine.

At step 209, it is determined whether the read profile needs to betransformed or not. The profile transformation process involves changingthe profiles from a first machine-readable format to a secondmachine-readable format. The determination of the need to transformprofiles is based on a set of pre-defined transformation rules.

The transformation rules may be stored locally in the system or networkbeing administered, or they can be stored outside it. For instance,consider a case where a local area network (LAN) is being administered.In such a case, the transformation rules may be stored in a documentthat is stored in the LAN or at some external Uniform Resource Locator(URL) in an external network, such as the Internet. When the documentcontaining the transformation rules is stored at an external URL,references to the URL can be used to access the transformation rules.

In one embodiment of the present invention, profiles are generated usingXML. In this embodiment, the transformation of profiles involvesconverting an XML profile into a second XML profile. Transformations canbe performed using various available XML transformation languages suchas XSLT (Extensible Style Sheet Transformation) for transforming XMLdocuments from one form to another.

As determined at step 209, if the read profiles need to be transformed,step 211 is performed. At step 211, the selected profiles aretransformed from a first machine-readable format to a secondmachine-readable format and step 213 is performed.

At step 213, the transformed profiles are parsed to generate events.

As determined at step 209, if the read profiles do not need to betransformed, step 213 is performed. At step 213, the read profiles areparsed to generate events.

Once the transformed/read profiles are parsed, the generated events aredirected to appropriate administered components for execution.Administered components comprise devices and components (softwaremodules and system commands) whose administration needs to be automated.Examples of administered components include network devices such asrouters and packet shapers, software programs and system commands foraccomplishing administrative tasks.

It will be apparent to a person skilled in the art that administeredcomponents are not limited to the above-mentioned examples. Anycomponent, which is required to execute an event generated after parsingof the profile, will comprise administered components in the environmentof the present invention.

At step 215, the generated events are executed using the administeredcomponents.

Control messages such as “success”, “error” or “not processed” aregenerated by the administered components in response to the executedevents. Some system messages such as stdOUT or stdERR may also begenerated. These system messages are the standard messages generated byshell components in response to the processing of any shell command. Themessages provide metadata regarding the executed events.

At step 217, all the control messages corresponding to the parsedprofile are collected. At step 219, the parsed profile is updated, basedon the collected messages.

In one embodiment of the present invention, a parsed profile is updatedby appending the collected messages (corresponding to the parsedprofile) to the parsed profile. For example, consider a profile givenbelow to create a directory: <amin:command name=“mkdir”>     <amin:paramname=“target”>test_dir test_dir2</amin:param>     <amin:flagname=“mode”>0754</amin:flag>     <amin:shellname=“dir”>/tmp</amin:shell>   </amin:command>   <amin:commandname=“mkdir”>     <amin:param name=“target”>/tmp/test_dir3</amin:param>    <amin:flag name=“mode”>0755</amin:flag> </amin:command>

After this profile is has been parsed and is appended with the collectedmessages, the updated profile would appear as follows:   <amin:commandname=‘mkdir’>     <amin:param name=‘target’>test_dirtest_dir2</amin:param>     <amin:flag name=‘mode’>0754</amin:flag>    <amin:shell name=‘dir’>/tmp</amin:shell>    <amin:messagetype=‘success’>Making directories in /tmp (perm: =0754):test_dir,test_dir2</amin:message></amin:command>    <amin:command name=‘mkdir’>    <amin:param name=‘target’>/tmp/test_dir3</amin:param>     <amin:flagname=‘mode’>0755</amin:flag>    <amin:message type=‘success’>Makingdirectories in (perm:=0755):/tmp/test_dir3</amin:message></amin:command>

The appended message “success” signifies that the directory has beencreated successfully.

After the profile has been updated at step 219, step 221 is performed.At step 221, it is determined whether the updated profile needs to beprocessed again. This determination is based on the messages containedin the updated profile and the administrative task to be performed.

For example, consider a case when a profile for creating a directory isprocessed and appended with messages generated by the administeredcomponents. The updated profile appears as follows: <amin:commandname=‘mkdir’>     <amin:param name=‘target’>test_dir/amin:param>    <amin:flag name=‘mode’>0754</amin:flag>     <amin:shellname=‘dir’>/tmp</amin:shell>     <amin:message type=‘success’>    Making directories in /tmp (perm: =0754):test_dir    </amin:message> </amin:command> <amin:command name=‘mkdir’>    <amin:param name=‘target’>test_dir2</amin:param>     <amin:flagname=‘mode’>0754</amin:flag>     <amin:shellname=‘dir’>/tmp</amin:shell>     <amin:message type=‘error’>     Directory test_dir2 exists     </amin:message> </amin:command><amin:command name=‘mkdir’>     <amin:paramname=‘target’>/tmp/test_dir3</amin:param>     <amin:flagname=‘mode’>0755</amin:flag>     <amin:message type=‘not processed’>     This element was not processed     </amin:message> </amin:command>

The appended messages <‘success’>, <‘error’> and <‘not processed’>signify that one command in the profile was successful, one indicated anerror, and one was not processed. Based on the messages appended to thecommands in the profile, the processing machine decides whether theprofile needs to be re-processed . For example, if the messages appendedto all executed commands in the processed profile are <‘success’>, thenthe processing machine decides that the profile does not need to beprocessed again. However, in case there is an <‘error’> or a <‘notprocessed’> message appended to any of the commands in the profile, theprocessing machine decides to process the profile again.

If the updated profile needs to be processed again, it is selected forprocessing, and steps 207-219 are performed for it.

However, as determined at step 221, if the updated profile does not needto be processed again, step 223 is performed. At step 223, it isdetermined whether the selected administrative list contains any moreunprocessed profiles.

If the selected administrative list contains other profiles, which havenot been processed, step 225 is performed. At step 225, the nextunprocessed profile contained in the selected administrative list isselected and steps 207-219 are performed for the newly selected profile.

In this manner, the automated selection and processing of administrativelists and the constituent profiles leads to the automated execution ofthe administrative processes.

FIG. 3 illustrates the environment, in which the system for capturingthe administrative processes and automating the execution of thecaptured administrative processes of the present invention works, inaccordance with one embodiment of the present invention.

System 300 comprises a Profile Generator 301, a Network Map Generator303, an Administrative List Generator 305, a Front-end 307, and aBack-end 309.

Profile Generator 301 is a software module that captures alladministrative commands that constitute an administrative task, using ageneric command framework. Profile Generator 301 captures all theadministrative commands, including the manually entered and theautomatically generated administrative commands, in the form ofprofiles. For example, when a shell command for creating a directory isentered, Profile Generator 301 captures the command using a genericcommand framework. All administrative commands typed in a normal shellhave features such as name, flags, parameters, and other shell conceptslike path information, associated with them. All these features ofadministrative commands are captured in accordance with the genericcommand framework described in the present invention.

In one embodiment of the present invention, a structured mark-uplanguage such as XML is used to capture administrative commands in amachine-readable format. The following illustration presents an exampleof how Profile Generator 317 captures administrative commands in theform of profiles.

When the following administrative command is typed in a Linux shell,

-   -   cd/tmp mkdir-m 0754 test_dir test_dir2

Profile Generator 317 captures it in a generic command framework, usingXML, as <amin:command name=“mkdir”>     <amin:paramname=“target”>test_dir test_dir2</amin:param>     <amin:flagname=“mode”>0754</amin:flag>     <amin:shellname=“dir”>/tmp</amin:shell> </amin:command>

Network Map Generator 303 is a software module that generates networkmaps. A network map comprises details of network servers on which one ormore administrative commands, which constitute an administrative task,need to be performed. In one embodiment of the present invention,Network Map Generator 303 generates network maps by recording the namesand IP addresses of all servers that are involved in processing thegiven administrative commands. A network map containing details of twoservers named “jerry” and “mickey” is given here as an example.<amin:network xmlns:amin=“http://projectamin.org/ns/”>  <amin:servername=“jerry”>   <amin:ip>206.183.254.10</amin:ip>  <amin:port>2034</amin:port>  </amin:server>  <amin:servername=“mickey”>   <amin:ip>206.183.254.51</amin:ip>  <amin:port>3532</amin:port>  </amin:server> </amin:network>

Administrative List Generator 305 is a software module that generatesadministrative lists for each administrative process that has to beexecuted. Each administrative list corresponds to an administrativeprocess and comprises profiles that define the administrative tasks thatconstitute the administrative process. A pre-defined order in whichadministrative tasks need to be executed in order to execute theadministrative process is also provided in the administrative list.Hence, an administrative list represents an administrative process in astructured machine-readable format. An administrative list can alsocomprise associations between the constituent profiles and one or morenetwork maps.

Front-end 307 comprises one or more user interfaces, which enable theinteraction of a user with system 300. Examples of user interfacesinclude a graphical user interface (GUI), a web user interface, or othertypes of interfaces such as command-line user interfaces. Front-end 307enables users to select administrative lists, profiles and network maps,depending on the administrative process to be performed. In a fullyautomated system, Front-end 307 performs such selection ofadministrative lists automatically in response to a system requirement,without any user intervention. Front-end 307 reads the selected profilesand passes the read profiles to back-end 309 for processing.

In one embodiment of the present invention, Front-end 307 can alsoperform transformations. Transformations involve the conversion ofprofiles from a first machine-readable format to a secondmachine-readable format.

Transformations can be of two types—conditional transformations andglobal transformations. Conditional transformations involve theselective transformation of the read profiles that meet a set ofpre-defined transformation conditions. Global transformations involvethe unconditional transformation of all read profiles. Front-end 307generally performs transformations where conditional transformations areinvolved.

For example, consider a profile for building a software which containsthe hard coded location of the source code for that software. Followingis an example of such a profile, generated by using XML: <amin:commandname=“unpack”>  <amin:param name=“target”>/usr/src</amin:param> <amin:param name=“archive”>/dir-sources/33/ bash-2.05b.tar.gz</amin:param> </amin:command>.

Now assume that the source code for building the software is put in/my/archive instead of in /dir-sources/33/ as specified in theabove-mentioned profile. In such a case, a transformation would berequired to correct the location of the source code in the profile.However, there might be another profile in which the new source codelocation (/my/archive) is specified. Therefore, this profile does notneed to be transformed. This presents an example of a conditionaltransformation, wherein one profile needs to be transformed while theother does not. Therefore, Front-end 307 will perform thistransformation.

In accordance with one embodiment of the present invention, suchtransformations are performed in accordance with the rules defined bythe use of XML transformation languages such as XSLT.

Back-end 309 comprises one or more Controllers 311 and an event-drivenmachine 313 for processing the selected profiles. The choice ofevent-driven machine 313 depends on the machine-readable format in whichthe profiles have been expressed.

Event-driven machine 313 comprises one or more Generators 315, one ormore Filters 317, and one or more Handlers 319.

In one embodiment of the present invention, the administrative processesare captured using XML. In this embodiment, event-driven machine 313 isa SAX (Simple API for XML) machine. A SAX machine is an advanced way ofputting together SAX processing pieces (generators, filters andhandlers) and controlling the flow of information among them. A SAXmachine is a common parser interface for XML parsers. It allowsapplication writers to write applications that use XML parsers but areindependent of the parser that is actually used for parsing.

Controllers 311 act as a bridge between Front-end 307 and event-drivenmachine 319 by passing the profiles read by Front-end 307 to Generators315. Controllers 311 also passes back the updated profiles handed to itby Handlers 319 to Front-end 307. Controllers 311 are also responsiblefor setting up event-driven machine 313 in a flexible user-definedmanner. The manner in which controllers are designed depends on the typeof Front-end 307 connected to the back-end 309.

In accordance with one embodiment of the present invention, controllers311 can also perform profile transformations. Controllers 311 aregenerally involved in performing global transformations. That is,Controllers 311 generally perform transformations when a global set ofrules needs to be enforced on all profiles, which are sent toControllers 311 by Front-end 307.

Generators 315 are components that generate a series of events as theyread the profiles passed to them by Controllers 311. In one embodimentof the present invention, Generators 315 are XML parsers. XML parserscan be based on the push parsing/event-based parsing model. In thismodel, the parser breaks down XML documents into identifiable pieces andsends notifications regarding these pieces to different applications.The notifications are sent in “reading” order, that is, as they appearin the text of the parsed document.

In another embodiment of the present invention, Generators 315 can readprofile-related data from a datasource and generate events by processingthe profile-related data. The datasource may be a database, an Idapserver or other such datasources, which can store the profile-relateddata, which is to be read by Generators 315. For example, in oneembodiment of the present invention, Generators 315 can readevent-related data from a perl data structure and process it to generateevents.

It would be apparent to a person skilled in the art that Generators 315of the present invention are not limited to reading profile-related datafrom a perl datastructure. Generators 315 can read and processprofile-related data, stored in any type of data structure.

The generated events are directed to Filters 317. Filters 317 aresoftware modules that directly interact with administered components321, and direct the generated events to be executed to appropriateadministered components 321.

Administered components 321 comprise hardware devices 323, systemcommands 325, and other components 327, which are used to execute thegenerated events. Examples of other administered components comprisesoftware programs such as web servers and database servers, servicemonitoring programs, IDS systems, backup programs, and other suchcomponents, that administrators need to interact with to performadministrative tasks.

The generated events are executed at administered components 321, towhich they are directed. Administered components 321 generate messagesin response to the execution of the generated events.

Once the events are executed, Filters 317 collect the messages generatedby administered components 321 in response to the execution of eachevent.

Filters 317 then pass the messages corresponding to each executed eventto Handlers 319. Filters 317 may pass all the messages, or they mayfilter these messages and pass only some of the messages, to Handlers319. Further, Filters 317 may also modify some of the messages beforethese messages are passed to Handlers 319. In one embodiment of thepresent invention, Filters 317 are SAX filters. As known in the art, SAXfilters can be designed to incorporate different message filteringrules. For example, Filters 317 can block all messages, or let allmessages pass to other system modules. They can also be designed to addor remove an attribute from the messages before passing them to othersystem modules.

In one embodiment, Handlers 319 are XML writers that append thecollected messages to the parsed profiles. The parsed profiles that havebeen appended with the messages (generated In response to the executionof the events contained in the profile) are called updated profiles.Handlers 319 further pass the updated profiles back to Controllers 311,which in turn pass them to Front-end 307.

In this manner, the system of the present invention enables theexecution of the captured administrative processes.

An advantage offered by the present invention is that it uses a genericcommand framework to capture all administrative commands. It does notuse different command frameworks to capture different administrativecommands. This significantly reduces the complexity involved in theprocess of capturing administrative commands and automating theexecution of the administrative processes.

In one embodiment of the present invention, the system and methoddescribed in the present invention are used to build a Security Managerapplication to manage the security levels of a network. The SecurityManager application generates administrative lists, profiles and networkmaps to manage security or firewall levels of the network. For example,the Security Manager application may generate administrative listscomprising an attack administrative list, an all-clear administrativelist, and a closed administrative list. Each of these administrativelists comprises profiles containing administrative commands that changethe firewall for the network, bringing it to an appropriate securitylevel. When the security of the network is threatened, an IntrusionDetection System (IDS) installed in the network causes a script to berun. The script causes the Security Manager application to select andrun the attack administrative list. The attack administrative listcomprises the attack.xml profile and the entire-network map. Hence, theattack.xml profile is sent to each firewall server listed in theentire-network map. The execution of this profile upgrades the securitylevel of the network to a level higher than the original security level.

The IDS continues to run appropriate scripts in response to the securityrequirements of the network, and causes the Security Manager to selectother administrative lists. For example, if the attack escalates, theSecurity Manager selects and runs the closed administrative listcontaining the closed.xml profile, which, when executed on the firewallservers in the network, shuts down the entire network. Hence, in thisembodiment, no human intervention is needed and the security problem ofthe network is administered by the present invention in an automatedmanner.

While the various embodiments of the invention have been illustrated anddescribed, it will be clear that the present invention is not limited tothese embodiments only. Numerous modifications, changes, variations,substitutions and equivalents will be apparent to those skilled in theart, without departing from the spirit and scope of the invention asdescribed in the claims.

1. A method for capturing administrative processes in a machine-readableformat, the administrative processes being processes that need to beimplemented by an administrator for achieving different objectives in alocal or a networked environment, the administrative processescomprising at least one administrative task and the administrative taskcomprising administrative commands, the method comprising the steps of:a. creating a generic command framework to capture the structure of alltypes of administrative commands used in the administrative processes;b. generating profiles by capturing the administrative commands in thegeneric command framework in a machine-readable format, the profilesbeing collections of machine-readable administrative commands thatdefine an administrative task; c. generating network maps, each networkmap comprising details of one or more servers in the networkedenvironment; d. generating administrative lists, each administrativelist comprising one or more profiles that define administrative tasks,which constitute an administrative process; wherein each administrativelist captures an administrative process in a machine-readable format,which can be processed by processing machines for automating executionof the administrative process.
 2. The method of claim 1 wherein the stepof generating administrative lists comprises defining associationsbetween profiles present in the administrative list and one or morenetwork maps, the association between a profile and one or more networkmaps defining the server(s) on which the administrative task defined bythe profile needs to be performed.
 3. The method of claim 1 wherein theadministrative commands are captured in a machine-readable format by thestep of writing them according to the generic command framework in astructured mark up language.
 4. A method for automating execution ofadministrative processes in a local or a networked environment, theadministrative processes comprising at least one administrative task andthe administrative task comprising administrative commands, the methodcomprising the steps of: a. creating a generic command framework thatcan be used to capture structures of all types of administrativecommands used in the administrative processes; b. generating profiles bycapturing the administrative commands in the generic command frameworkin a structured mark up language to create profiles, the profiles beingcollections of administrative commands that define an administrativetask; c. generating network maps, each network map containing details ofone or more servers in the networked environment; d. generatingadministrative lists, each administrative list being a collection of oneor more profiles and zero or more network maps, that defineadministrative tasks, which are required to be performed for executingan administrative process; e. selecting a first set of administrativelists based on a selected administrative process, which is to beexecuted; f. selecting the first profile from among the profilescontained in the selected first set of administrative lists; g.processing the selected profile, the processing of selected profilecomprising the steps of: i. parsing the selected profile to generateevents; ii. executing the generated events using administeredcomponents, the administered components comprising at least one of localsystem devices, networked system devices, software programs and systemcommands, which are used to execute the generated events; iii.collecting messages generated by administered components in response tothe execution of generated events; iv. updating the selected profilebased on the collected messages; v. deciding if the updated profileneeds to be processed again, the decision being made based on themessages using which the selected profile has been updated; vi. if theupdated profile needs to be processed again, then performing the stepsof a) selecting the updated profile for processing; b) repeating step ffor the selected profile; else performing the steps of c) selecting nextprofile to be processed from the selected first set of administrativelists based on the administrative tasks to be performed; and d)repeating step f for the selected new profile; wherein the execution ofadministrative processes is automated by the automated processing ofprofiles that define the administrative tasks, which are required to beperformed for executing the administrative processes.
 5. The method ofclaim 4 further comprising the steps of: a. determining if the selectedprofile needs to be transformed before processing, the transformationbeing required when the selected profile needs to be converted from afirst format of structured mark up language to a second format of thestructured mark up language; if the selected profile needs to betransformed, then b. transforming the selected profile from the firstformat to the second format using a set of pre-defined rules; else c.processing the selected profile in the first format.
 6. The method ofclaim 4 wherein an administrative list further comprises associationsbetween the profiles present in the administrative list and one or morenetwork maps, the association between a profile and one or more networkmaps defining the server(s) in the networked environment, on which theadministrative task defined by the profile in the administrative listneeds to be performed.
 7. The method of claim 4 wherein the step ofexecuting the generated events comprises the steps of: a. directing thegenerated events to administered components using which the generatedevents can be executed; and b. executing the generated events using theadministered components to which the generated events have beendirected.
 8. The method of claim 4 wherein the generated messagescomprise control messages and system messages.
 9. The method of claim 4wherein the step of updating the selected profile based on the collectedmessages comprises the steps of: a. appending the generated messages ina structured mark up language to the selected profile; and b. storingthe updated profile.
 10. A system for automating administrativeprocesses in a local or a networked environment, the administrativeprocesses comprising administrative tasks and the administrative taskscomprising administrative commands, the system comprising: a. a profilegenerator for generating profiles in a structured mark up language, theprofiles being collections of administrative commands that define anadministrative task; b. a network map generator for generating networkmaps, the network maps containing details of one or more servers in thenetworked environment; c. an administrative list generator forgenerating administrative lists, each administrative list being acollection of one or more profiles that define administrative tasks,which are required to be performed for executing an administrativeprocess; d. a front-end for enabling at least one function from amongthe functions of selecting profiles contained in administrative lists,reading the selected profiles and transforming the selected profiles;and e. a back-end comprising: i. an event-driven machine for processingthe selected profiles written in a structured mark up language; and ii.one or more controllers for connecting the front-end with theevent-driven machine for processing the selected profiles, thecontrollers passing the selected profiles from the front-end to theevent-driven machine.
 11. The system of claim 10 wherein theevent-driven machine for processing the selected profiles comprises: a.one or more generators, which generate events by parsing the selectedprofile; b. one or more filters, the filters directing the generatedevents to administered components and causing execution of the generatedevents at the administered components, thereby leading to the generationof messages by the administered devices in response to the execution ofthe generated events; and c. one or more handlers, for updating theselected profile with messages generated by the administered components.12. The system of claim 10 wherein the administered components compriseat least one of local devices, networked devices, software programs andsystem commands, which are used for executing the generated events. 13.The system of claim 10 wherein the controller further transforms theselected profile from a first format of structured mark up language to asecond format of the structured mark up language, based on a set ofpre-defined rules.
 14. The system of claim 13 wherein the pre-definedrules are stored locally in the controller where the transformation ofselected profiles is performed, or are stored outside the controller inthe networked environment.
 15. A computer program product, comprising acomputer usable medium having a computer readable program code embodiedtherein, for capturing and automating the execution of administrativeprocesses in a local or a networked environment, the administrativeprocesses comprising administrative tasks and the administrative taskscomprising administrative commands, the computer program productcomprising: a. program instruction means for capturing theadministrative commands in a generic command framework in a structuredmark up language to create profiles, the profiles being collections ofadministrative commands that define an administrative task; b. programinstruction means for generating network maps, each network mapcontaining details of one or more servers in the networked environment;c. program instruction means for generating administrative lists, eachadministrative list being a collection of one or more profiles thatdefine administrative tasks, which are required to be performed forexecuting an administrative process; d. program instruction means forselecting a first set of administrative lists based on a selectedadministrative process, which is to be executed; e. program instructionmeans for selecting the first profile from among the profiles containedin the selected first set of administrative lists; f. programinstruction means for processing the selected profile, the programinstruction means for processing the selected profile comprising: i.program instruction means for parsing the selected profile to generateevents; ii. program instruction means for executing the generated eventsusing administered components, the administered components comprising atleast one of local system devices, networked system devices, softwareprograms and system commands, which are used to execute the generatedevents iii. program instruction means for collecting messages generatedby administered components after the execution of generated events; iv.program instruction means for updating the selected profile based on thecollected messages; v. program instruction means for checking if theupdated profile needs to be processed again; and vi. program instructionmeans for selecting the next profile contained in the selected first setof administrative lists.
 16. The computer program product of claim 15further comprising a program instruction means for transforming theselected profile before processing, the transformation being requiredwhen the selected profile needs to be converted from a first format ofstructured mark up language to a second format of the structured mark uplanguage.
 17. The computer program product of claim 15 wherein theprogram instruction means for executing the generated events furthercomprises: a. program instruction means for directing the generatedevents to administered components using which the generated events canbe executed; and b. program instruction means for causing execution ofthe generated events using the administered components to which thegenerated events have been directed.
 18. The computer program product ofclaim 15 wherein the program instruction means for updating a profilebased on the collected messages comprises: a. program instruction meansfor appending the generated messages in a structured mark up language tothe selected profile; and b. program instruction means for storing theupdated profile.
 19. A system for automating administrative processes ina local or a networked environment, the administrative processescomprising administrative tasks and the administrative tasks comprisingadministrative commands, the system comprising: a. a profile generatorfor generating profiles in a structured mark up language, the profilesbeing collections of administrative commands that define anadministrative task; b. a network map generator for generating networkmaps, the network maps containing details of one or more servers in thenetworked environment; c. an administrative list generator forgenerating administrative lists, each administrative list being acollection of one or more profiles that define administrative tasks,which are required to be performed for executing an administrativeprocess; d. a front-end for enabling at least one function from amongthe functions of selecting a profile contained in administrative lists,reading the selected profile and transforming the selected profiles; ande. a back-end comprising: i. an event-driven machine for processing theselected profile written in a structured mark up language, theevent-driven machine further comprising: a) one or more generators,which generate events by parsing the selected profile; b) one or morefilters, the filters directing the generated events to administeredcomponents and causing execution of the generated events at theadministered components, thereby leading to the generation of messagesby the administered devices in response to the execution of thegenerated events; and c) one or more handlers, for updating the selectedprofile with the messages generated by the administered components. ii.one or more controllers for connecting the front-end with theevent-driven machine for processing the selected profile, thecontrollers transforming the profile from one format of structured markup language to another format, if required, based on a set ofpre-defined rules and passing the selected profile from the front-end tothe event-driven machine.
 20. The system of claim 19 wherein theadministered components comprise at least one of local devices,networked devices, software programs and system commands, which are usedfor executing the generated events.